tun: fix a memory leak for tfile->tx_array

congwang · gregkh · commit 51c1f513fe96 · 2018-01-31T14:03:47.000+01:00
[ Upstream commit 4df0bfc ] tfile->tun could be detached before we close the tun fd, via tun_detach_all(), so it should not be used to check for tfile->tx_array. As Jason suggested, we probably have to clean it up unconditionally both in __tun_deatch() and tun_detach_all(), but this requires to check if it is initialized or not. Currently skb_array_cleanup() doesn't have such a check, so I check it in the caller and introduce a helper function, it is a bit ugly but we can always improve it in net-next. Reported-by: Dmitry Vyukov <dvyukov@google.com> Fixes: 1576d98 ("tun: switch to use skb array for tx") Cc: Jason Wang <jasowang@redhat.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/net/tun.c b/drivers/net/tun.c
@@ -534,6 +534,14 @@ static void tun_queue_purge(struct tun_file *tfile)
 	skb_queue_purge(&tfile->sk.sk_error_queue);
 }
 
+static void tun_cleanup_tx_array(struct tun_file *tfile)
+{
+	if (tfile->tx_array.ring.queue) {
+		skb_array_cleanup(&tfile->tx_array);
+		memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
+	}
+}
+
 static void __tun_detach(struct tun_file *tfile, bool clean)
 {
 	struct tun_file *ntfile;
@@ -575,8 +583,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean)
 			    tun->dev->reg_state == NETREG_REGISTERED)
 				unregister_netdevice(tun->dev);
 		}
-		if (tun)
-			skb_array_cleanup(&tfile->tx_array);
+		tun_cleanup_tx_array(tfile);
 		sock_put(&tfile->sk);
 	}
 }
@@ -616,11 +623,13 @@ static void tun_detach_all(struct net_device *dev)
 		/* Drop read queue */
 		tun_queue_purge(tfile);
 		sock_put(&tfile->sk);
+		tun_cleanup_tx_array(tfile);
 	}
 	list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {
 		tun_enable_queue(tfile);
 		tun_queue_purge(tfile);
 		sock_put(&tfile->sk);
+		tun_cleanup_tx_array(tfile);
 	}
 	BUG_ON(tun->numdisabled != 0);
 
@@ -2624,6 +2633,8 @@ static int tun_chr_open(struct inode *inode, struct file * file)
 
 	sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);
 
+	memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));
+
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -534,6 +534,14 @@ static void tun_queue_purge(struct tun_file *tfile)`
`534`	`534`	`skb_queue_purge(&tfile->sk.sk_error_queue);`
`535`	`535`	`}`
`536`	`536`
	`537`	`+static void tun_cleanup_tx_array(struct tun_file *tfile)`
	`538`	`+{`
	`539`	`+ if (tfile->tx_array.ring.queue) {`
	`540`	`+ skb_array_cleanup(&tfile->tx_array);`
	`541`	`+ memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));`
	`542`	`+ }`
	`543`	`+}`
	`544`	`+`
`537`	`545`	`static void __tun_detach(struct tun_file *tfile, bool clean)`
`538`	`546`	`{`
`539`	`547`	`struct tun_file *ntfile;`
`@@ -575,8 +583,7 @@ static void __tun_detach(struct tun_file *tfile, bool clean)`
`575`	`583`	`tun->dev->reg_state == NETREG_REGISTERED)`
`576`	`584`	`unregister_netdevice(tun->dev);`
`577`	`585`	`}`
`578`		`- if (tun)`
`579`		`- skb_array_cleanup(&tfile->tx_array);`
	`586`	`+ tun_cleanup_tx_array(tfile);`
`580`	`587`	`sock_put(&tfile->sk);`
`581`	`588`	`}`
`582`	`589`	`}`
`@@ -616,11 +623,13 @@ static void tun_detach_all(struct net_device *dev)`
`616`	`623`	`/* Drop read queue */`
`617`	`624`	`tun_queue_purge(tfile);`
`618`	`625`	`sock_put(&tfile->sk);`
	`626`	`+ tun_cleanup_tx_array(tfile);`
`619`	`627`	`}`
`620`	`628`	`list_for_each_entry_safe(tfile, tmp, &tun->disabled, next) {`
`621`	`629`	`tun_enable_queue(tfile);`
`622`	`630`	`tun_queue_purge(tfile);`
`623`	`631`	`sock_put(&tfile->sk);`
	`632`	`+ tun_cleanup_tx_array(tfile);`
`624`	`633`	`}`
`625`	`634`	`BUG_ON(tun->numdisabled != 0);`
`626`	`635`
`@@ -2624,6 +2633,8 @@ static int tun_chr_open(struct inode inode, struct file file)`
`2624`	`2633`
`2625`	`2634`	`sock_set_flag(&tfile->sk, SOCK_ZEROCOPY);`
`2626`	`2635`
	`2636`	`+ memset(&tfile->tx_array, 0, sizeof(tfile->tx_array));`
	`2637`	`+`
`2627`	`2638`	`return 0;`
`2628`	`2639`	`}`
`2629`	`2640`